I had a chance to review the 2010 Verizon Data Breach Report today, which I was alerted to by ISC.SANS.ORG. They’ve put together data from 2004 through 2009, and it is quite interesting.
These are from confirmed data breach cases.
Here were 3 of the scariest stats in the document:
- 86% of victims had evidence of the breach in their log files
- 96% of breaches were avoidable through simple or intermediate controls
- 79% of victims subject to PCI DSS had not achieved compliance
In short, 4 out of 5 organizations that were supposed to be compliant with one particular regulation were not. They were infiltrated through easily avoidable situations, and the evidence of their compromise was sitting right in their own logs, but not discovered by them.
That is a sad state of affairs…
All is not lost, however. The report did have a few bright notes. Please take some time to review it when you can.